A malicious campaign by North Korean state actors saw a malicious npm package dependency slipped into a crypto trading agent by an AI coding agent, according to a new report by ReversingLabs. The incident highlights a troubling new frontier in software supply chain attacks: hackers targeting developers...and the AI tools writing their code.
The post How Claude Planted Malicious Code In A Crypto-Trading App appeared first on The Security Ledger with Paul F. Roberts.
The post The Malware Factory: Unmasking the 108-Package North Korean Siege on npm appeared first on Daily CyberSecurity.
O que as palavras bakso, sate e rendang trazem à mente? Para muitos, a resposta é “nada”; os amantes da gastronomia as reconhecerão como alimentos básicos da Indonésia. Já aqueles que seguem as notícias de segurança cibernética se lembrarão de um ataque ao ecossistema Node Package Manager (npm), a ferramenta que permite que os desenvolvedores usem bibliotecas pré-formatadas em vez de escrever cada linha de código do zero.
Em meados de novembro, o pesquisador de segurança Paul McCarty relatou a descoberta de uma campanha de spam destinada a sobrecarregar o repositório do npm. É claro que pacotes sem sentido já apareceram no repositório antes, mas, neste caso, dezenas de milhares de módulos foram encontrados sem nenhuma utilidade. O único objetivo deles era injetar dependências completamente desnecessárias em projetos.
Os nomes dos pacotes apresentavam nomes de pratos indonésios e termos culinários inseridos de forma aleatória, como bakso, sate e rendang, o que levou a campanha a receber o apelido “IndonesianFoods”. A escala foi impressionante: no momento da descoberta, aproximadamente 86 mil pacotes haviam sido identificados.
Abaixo, veremos como isso aconteceu e o que os invasores estavam realmente procurando.
À primeira vista, os pacotes da IndonesianFoods não pareciam lixo óbvio. Eles apresentavam estruturas padrão, arquivos de configuração válidos e até mesmo documentação bem formatada. De acordo com pesquisadores do Endor Labs, essa camuflagem permitiu que os pacotes permanecessem no repositório do npm por quase dois anos.
Não é como se os invasores tentassem a todo custo inserir suas criações em projetos externos. Em vez disso, eles simplesmente inundaram o ecossistema com um código de aparência legítima, esperando que alguém cometesse um erro de digitação ou selecionasse por engano sua biblioteca nos resultados da pesquisa. Não está claro exatamente o que alguém precisaria estar procurando para confundir um nome de pacote com um prato indonésio, mas a pesquisa original observa que pelo menos 11 projetos de alguma forma incluíram esses pacotes em suas compilações.
Uma pequena parte desses pacotes inúteis tinha um mecanismo de autorreplicação incorporado: uma vez instalados, eles criariam e publicariam novos pacotes no repositório do npm a cada sete segundos. Esses novos módulos apresentavam nomes aleatórios (também relacionados à culinária indonésia) e números de versão. Todos publicados, como seria de esperar, usando as credenciais da vítima.
Outros pacotes maliciosos integrados à plataforma blockchain TEA. O projeto TEA foi concebido para recompensar criadores de código aberto com tokens em proporção à popularidade e ao uso de suas criações, teoricamente operando em um modelo de “prova de contribuição”.
Uma parte significativa desses pacotes não continha funcionalidade real, mas muitas vezes carregavam uma dúzia de dependências que, como você pode imaginar, apontavam para outros projetos de spam dentro da mesma campanha. Assim, se uma vítima incluir por engano um desses pacotes maliciosos, ele carregará consigo diversos outros, alguns dos quais terão suas próprias dependências. O resultado é um projeto final com uma enorme quantidade de código redundante.
Há duas teorias principais. O mais óbvio é que toda essa elaborada campanha de spam foi projetada para explorar o protocolo TEA mencionado acima. Essencialmente, sem fazer nenhuma contribuição útil para a comunidade de código aberto, os invasores ganham tokens TEA, ou seja, ativos digitais padrão que podem ser trocados por outras criptomoedas em plataformas de negociação. Usando uma rede de dependências e mecanismos de autorreplicação, os invasores se passam por desenvolvedores de código aberto legítimos para inflar artificialmente a significância e as métricas de uso de seus pacotes. Nos arquivos README de determinados pacotes, os invasores até se gabam de seus ganhos.
No entanto, há uma teoria mais assustadora. Por exemplo, o pesquisador Garrett Calpouzos sugere que o que estamos vendo é apenas uma prova de conceito. A campanha da IndonesianFoods pode estar testando um novo método de entrega de malware destinado a ser vendido posteriormente a outros agentes de ameaças.
À primeira vista, o perigo para as organizações de desenvolvimento de software pode não ser óbvio: com certeza, a IndonesianFoods desordena o ecossistema, mas não parece carregar uma ameaça imediata, como ransomware ou violações de dados. No entanto, as dependências redundantes sobrecarregam o código e desperdiçam recursos no sistema do desenvolvedor. Além disso, pacotes inúteis publicados sob o nome de sua organização podem prejudicar seriamente sua reputação dentro da comunidade de desenvolvedores.
Também não podemos descartar a teoria de Calpouzos. Se esses pacotes de spam incorporados ao seu software receberem uma atualização que introduza uma funcionalidade realmente maliciosa, eles podem se tornar uma ameaça não apenas para a sua organização, mas também para seus usuários, evoluindo para um ataque completo à cadeia de suprimentos.
Os pacotes de spam não entram em um projeto sozinhos; sua instalação ocorre em um momento de distração do desenvolvedor. Portanto, recomendamos conscientizar regularmente os funcionários, mesmo os mais experientes, sobre as ameaças cibernéticas modernas. Nossa plataforma interativa de treinamento, a KASAP (Kaspersky Automated Security Awareness Platform), pode ajudar.
Além disso, você pode impedir a infecção usando uma solução especializada para proteger ambientes conteinerizados. Ela faz a verificação de imagens e dependências de terceiros, integra-se ao processo de compilação e monitora contêineres durante o tempo de execução.
Se quiser saber mais detalhes sobre os ataques contra a cadeia de suprimentos, deixamos aqui o nosso convite para consultar o relatório analítico Supply chain reaction: securing the global digital ecosystem in an age of interdependence (Reação em cadeia de suprimentos: proteção do ecossistema digital global em uma era de interdependência). Ele é baseado em insights de especialistas técnicos e revela com que frequência as organizações enfrentam riscos de cadeia de suprimentos e de relacionamento confiável e como estes são percebidos.
The post The Human Variable: How a Masterful Phishing Ruse Hijacked Axios and 100 Million Users appeared first on Daily CyberSecurity.
Threat actors compromised the npm account of Axios, a widely used library with over 100M weekly downloads, and published malicious versions to spread remote access trojans across Linux, Windows, and macOS. The supply chain attack was identified by multiple security firms after the rogue updates appeared on the npm registry.
Malicious versions of Axios (1.14.1 and 0.30.4) were published within an hour without OIDC verification or matching GitHub commits, raising immediate red flags. Researchers believe attackers compromised maintainer Jason Saayman’s npm account.
“Anyone who installed either version before the takedown should assume their system is compromised. The malicious versions inject a dependency (plain-crypto-js) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux.” read the report published by Aikido Security.
The impact is unclear, but given Axios’ ~400M monthly downloads, many downstream projects may have been exposed during the brief attack window.
Socket researchers reported that a malicious package called plain-crypto-js@4.2.1 was published and detected within minutes, likely as part of a coordinated attack targeting Axios. Attackers inserted this dependency into two compromised Axios versions, allowing malware to spread through a trusted library used by millions of projects. Because many developers rely on automatic updates, affected versions could be installed without notice.
The malicious code was designed to stay hidden. It used obfuscation techniques to avoid detection and ran automatically during installation through a post-install script. Once executed, it checked the operating system (Windows, macOS, or Linux) and downloaded a second-stage payload tailored to each platform. In the case of macOS, researchers confirmed the delivery of a fully functional remote access trojan (RAT) capable of collecting system information, communicating with a command-and-control server, and executing commands.
“Security researcher Joe Desimone from Elastic Security captured and reverse-engineered the macOS second-stage binary before the C2 went offline. The payload is a fully functional remote access trojan written in C++.” reads the report published by Socket.
To avoid being discovered, the malware removed its own traces after running. It deleted installation files and restored clean-looking package content, making the infected library appear normal. The experts believe the attack was possible due to the compromise of a maintainer account, enabling unauthorized publishing of malicious updates.
Given the huge number of Axios downloads, the potential impact is significant, even though the exposure window was relatively short.
Socket security researchers found two more packages spreading the same malware through hidden dependencies linked to Axios. The package @shadanai/openclaw included the malicious plain-crypto-js deep inside its code, using identical obfuscation, command-and-control infrastructure, and self-deleting behavior. Another package, @qqbrowser/openclaw-qbot, used a different method by bundling a tampered Axios version that silently installed the malicious dependency.
In both cases, the infection likely happened automatically when these projects pulled the compromised Axios release. This shows how a single poisoned dependency can quickly spread across many projects, especially with automated builds and fast package publishing pipelines.
To check if you’re affected by the Axios attack, verify if your project includes malicious versions (1.14.1 or 0.30.4) or the hidden plain-crypto-js package. Look for leftover files or RAT artifacts on macOS, Windows, or Linux systems. Even if some files were removed, traces may remain. Alternatively, use automated tools like Aikido to scan dependencies and quickly detect any compromised packages.
Both Socket and Aikido provided Indicators of compromise (IOCs) for this supply chain attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, supply chain attack)
ENISA has released its first Technical Advisory on Package Managers, focusing on how developers can safely consume third-party packages. The document (March 2026, v1.1) follows public feedback incorporating 15 contributions from stakeholders, experts, and the open-source community.
“This document focuses on how developers can securely use package managers as part of their software development life cycle.” states the report. “In particular, this document, outlines common risks involved in the use of third-party packages, presents secure practices for selecting, integrating, and monitoring packages and describes approaches for addressing vulnerabilities found in dependencies.”
Package managers are essential in modern software, automating installation, updates, and removal of libraries with their dependencies. They involve packages (reusable code), dependencies (direct or transitive), developers (publishers), applications (consumers), repositories (npm, PyPI), and the managers themselves (npm, pip).
Developers publish code, which others download and integrate. For example, npm install express fetches express plus ~68 dependencies. Not all installed code runs at runtime, reachability analysis identifies active modules, helping prioritize security risks, as vulnerabilities in unused code are less likely exploitable.
Packages boost collaboration through sharing and reuse, efficiency by avoiding reinventing the wheel, consistency with standardized components, maintainability via centralized updates, and quality from repeated testing across projects. Yet this interconnectedness amplifies risks: a vulnerability in express, with 100k+ direct dependencies and over 1M transitive ones, can devastate entire ecosystems. React’s CVE-2025-55182 (CVSS 10.0) threatened 12M sites. A single malicious dependency cascades globally, turning convenience into a massive attack surface.
Package risks come in two main forms. First, inherent vulnerabilities from poor coding (e.g., input validation flaws, path traversal, info leaks, unsafe deserialization) or abandoned packages like node-serialize or crypto-js. Second, supply chain attacks—malicious packages, compromised legit packages (event-stream, ua-parser-js), typosquatting (crossenv), or namespace confusion, can ripple widely, as seen with npm, which affects 2.6B weekly downloads and millions of downstream projects.
When selecting and integrating third-party packages, developers should follow a careful, structured approach to reduce security risks. During the selection phase, it’s crucial to choose packages from trusted sources with clear provenance and maintainers with a reliable reputation. Scanning for known vulnerabilities using tools like npm audit or OSV, verifying signatures and package integrity, and reviewing maintainer activity and popularity metrics help ensure that dependencies are both secure and actively maintained. Minimizing the number of dependencies and avoiding packages with unsafe scripts further reduces the attack surface.
During integration, developers should adopt practices that enforce transparency and control. Generating a Software Bill of Materials (SBOM) allows teams to track exactly what code is included in a project. Running vulnerability scans in CI/CD pipelines, using lockfiles and SHA hashes to enforce integrity, employing local package proxies, skipping install scripts when possible, and pinning specific package versions help prevent unexpected changes. Committing lockfiles and reviewing changelogs before upgrades ensures that updates are deliberate and safe, maintaining the security and reliability of the software supply chain.
Effective monitoring and mitigation are essential for securing third-party packages. For monitoring, integrate SBOM-based scanners like Grype or osv-scanner into CI/CD pipelines to continuously track vulnerabilities. Keep up with CVEs via EUVD, OSV.dev, Snyk, NVD, or Dependabot, and watch for outdated packages, deprecations, or changes in maintainers that could signal risks.
For mitigation, prioritize fixes using CVSS scores, EPSS, KEV catalogs, VEX statements, and reachability analysis with tools such as CodeQL or Semgrep. Address issues by patching, isolating affected components, or rolling back to safe versions, while updating SBOMs, mitigation notes, and notifying stakeholders to maintain long-term supply chain security.
“This document is intended to serve as a starting point with concise guidance on package consumption
within software projects, encouraging risk aware decision making when consuming and managing thirdparty packages. While many of the listed examples focus on npm, pip and GitHub, the recommendations are designed to apply across package manager ecosystems.” concludes the report. “The software supply chain landscape continues to evolve, with new tools, processes and risks emerging over time. Therefore, organisations should treat this subject as an ongoing activity and periodically review and update their practices to reflect changes in available tooling, threats and ecosystem-specific guidance.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ENISA)
ReversingLabs researcher uncovered new malicious packages on npm and PyPI connected to a fake job recruitment campaign attributed to the North Korea-linked Lazarus Group. The campaign uses deceptive hiring themes to trick developers into downloading infected packages, continuing the group’s efforts to target the software supply chain.
“The ReversingLabs research team has identified a new branch of a fake recruiter campaign conducted by the North Korean hacking team Lazarus Group.” reads the report published by ReversingLabs. “The campaign, which the team named graphalgo, based on the first package included in this campaign in the npm repository, has been active since the beginning of May 2025.”
The campaign, tracked as ‘graphalgo’, has been active since May 2025 and targets JavaScript and Python developers with fake cryptocurrency recruiter tasks. Attackers approach victims on LinkedIn, Facebook, and Reddit, posing as a blockchain company. Malicious code is hidden through multiple public platforms, including GitHub, npm, and PyPI. The researchers noticed that one npm package, bigmathutils, gained over 10,000 downloads before attackers pushed a malicious update.
The Graphalgo campaign is a modular, multi-stage operation designed to stay active even if parts are exposed:
Phase 1 – Fake company:
Attackers created a fake blockchain firm, Veltrix Capital, with websites and GitHub organizations that look legitimate but lack real leadership details. When one setup risks exposure, they spin up a new company, domains, and AI-generated content to rebuild trust.
Phase 2 – Interview tasks:
The fake company publishes GitHub “job interview” repositories in Python and JavaScript. These projects look harmless, but they secretly depend on malicious npm or PyPI packages. When candidates run the tasks, the malicious dependency executes on their systems.
Phase 3 – Recruiting:
Victims are lured through Reddit, Facebook groups, LinkedIn, and direct recruiter messages. Some recruiters appear real, adding credibility, but disengage when questioned about the company.
Phase 4 – Malicious dependencies:
The backend relies on malicious open-source packages hosted on npm and PyPI. Early “graph-” packages impersonate popular libraries, while later “big-” packages build user trust first, then deliver malware in delayed updates.
Phase 5 – Final payload:
Infected systems download a RAT that supports file access, command execution, and process control. The malware uses token-protected C2 communication and checks for crypto wallets like MetaMask, pointing to financial theft motives.
North Korean threat actors, widely linked to the Lazarus Group, have a long track record of abusing npm and PyPI. In 2023, researchers exposed the VMConnect campaign, where fake PyPI packages tied to sham GitHub repos delivered malware. A year later, the operation evolved into fake recruiter coding tests: victims ran malicious packages disguised as interview tasks, triggering second-stage downloads. Reports from other cybersecurity firms, including Phylum, Unit 42, Veracode, and Socket, documented similar npm campaigns.
Attribution to Lazarus is based on repeated patterns: fake job interviews, crypto-focused lures, multistage encrypted malware, delayed malicious updates, token-protected C2, and GMT+9 timestamps. The campaign’s modular design allows attackers to swap fake “frontends” while reusing backend infrastructure. With new package waves and payload variants still emerging, the operation appears ongoing and highly sophisticated.
“Evidence suggests that this is a highly sophisticated campaign. Its modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor.” concludes the report. “Fake interviews as the initial contact vector, as well as a cryptocurrency-focused story and malware, together with other techniques mentioned in this blog post, point to North Korea’s Lazarus Group. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – malware, graphalgo campaign)
Stranger Things concept of the “Upside Down” is a useful way to think about the risks lurking in the software we all rely on. A new report from ReversingLabs shines a light into that dark world.
The post Technology’s “Upside Down”? Software Supply Chain appeared first on The Security Ledger with Paul F. Roberts.
The open source ecosystem continues to face organized, adaptive supply chain threats that spread through compromised credentials and malicious package lifecycle scripts. The most recent example is the multi-wave Shai-Hulud campaign.
While individual incidents differ in their mechanics and speed, the pattern is consistent: Adversaries learn quickly, target maintainer workflows, and exploit trust boundaries in publication pipelines.
This post distills durable lessons and actions to help maintainers and organizations harden their systems and prepare for the next campaign, not just respond to the last one. We also share more about what’s next on the npm security roadmap over the next two quarters.
Shai-Hulud is a coordinated, multi-wave campaign targeting the JavaScript supply chain and evolved from opportunistic compromises to engineered, targeted attacks.
The first wave focused on abusing compromised maintainer accounts. It injected malicious post install scripts to slip malicious code into packages, exfiltrate secrets, and self-replicate, demonstrating how quickly a single foothold can ripple across dependencies.
The second wave, referred to as Shai-Hulud 2.0, escalated the threat: Its ability to self-replicate and spread via compromised credentials was updated to enable cross-victim credential exposure. The second wave also introduced endpoint command and control via self-hosted runner registration, harvesting a wider range of secrets to fuel further propagation, and destructive functionality. This wave added a focus on CI environments, changing its behavior when it detects it is running in this context and including privilege escalation techniques targeted to certain build agents. It also used a multi-stage payload that was harder to detect than the previous wave payload. The shortened timeline between variants signals an organized adversary studying community defenses and rapidly iterating around them.
Rather than isolated breaches, the Shai-Hulud campaigns target trust boundaries in maintainer workflows and CI publication pipelines, with a focus on credential harvesting and install-time execution. The defining characteristics we see across waves include:
Recent waves in this pattern reinforce that defenders should harden publication models and credential flows proactively, rather than tailoring mitigations to any single variant.
We’re accelerating our security roadmap to address the evolving threat landscape. Moving forward, our immediate focus is on adding support for:
Together, these investments give maintainers stronger, more flexible tools to secure their packages at every stage of the publication process.
Malware like Shai-Hulud often spreads by adding malicious code to npm packages. The malicious code is executed as part of the installation of the package so that any npm user who installs the package is compromised. The malware scavenges the local system for tokens, which it can then use to continue propagating. Since npm packages often have many dependencies, by adding malware to one package, the attacker can indirectly infect many other packages. And by hoarding some of the scavenged tokens rather than using them immediately, the attacker can launch a new campaign weeks or months after the initial compromise.
In the “References” section below, we have included links to longer articles with analysis of recent campaigns and advice on how to stay secure, so we won’t rehash all of that information here. Instead, here is a short summary of our top recommendations:
Note that the above advice is preventative. If you believe you are a victim of an attack and need help securing your GitHub or npm account, please contact GitHub Support.
The post Strengthening supply chain security: Preparing for the next malware campaign appeared first on The GitHub Blog.
Entrar